Classic PM: 11 Risks

Risks

Risks can be characterized as one of the most complex areas of project management, and this is related not to the lack of a scientific basis for it but to the complexity of risk management. In many ways, risk management is about sensitivity and foresight.

Those who first encounter project management without knowing the theoretical foundations of risk management experience rather big problems. The biggest challenge is with risk identification and assessment.

The Project Manager should consider all possible risks affecting the Project, both positive and negative. However, it is a frequent occurrence when risks are written exclusively as «technical» risks, forgetting about managerial, resource (related to some type of resources of the Project), qualitative (related to the quality of the result of the Project), etc. risks. About the analysis of risks related to Stakeholders, often do not have to say anything at all. This can lead to a large loss of entire strata of risk and, as a consequence, problems (and problems arising in the course of execution always lead to financial losses).

For a successful execution of the Project, it is necessary to manage risks, and in this article, this topic will be touched on quite superficially. Why superficial? Because risks are a large area of knowledge that cannot fit within the scope of one article. By the way, there is a separate certification for PMI Risk Management Professional (PMI-RMP)®, dedicated to risk management.

Let’s start with the concept of risk. Risk is an event that may occur during the course of the Project and may have a positive or negative impact on the Project. The general understanding is that risks are exclusively negative, although risks are also those that can help in project execution. For example, when planning the construction of a house, we found that if we can build walls before July, the cost of building a roof and roofing will be 10% cheaper. Naturally, since positive risks have a beneficial effect on the Project, the Project Manager and Team should make efforts to enable such risks. When we are talking about negative risks, then the Project Manager and the Team should try to avoid them and prevent their occurrence. Sometimes the positive and negative risks are referred to as favorable Opportunities and Threats, respectively. Regardless of the risk effect, it has a number of characteristics that must be identified:

• Probability that the Risk is realized (Qualitative Risk Analysis process);
• Possible damage to the Project (Qualitative Risk Analysis and Quantitative Risk Analysis processes);
• Expected time of occurrence (when the Risk may arise?);
• Frequency of occurrence of the Risk (the Risk may occur once or every week).

An important feature of risk management is that risk management must be carried out throughout the Project. Moreover, there is a direct correlation between the quality of risk and awareness of project Scope - so if similar projects have been carried out previously, the quality of risks (combination of probability of occurrence and threat to the Project) will be significantly lower than those projects that are being carried out for the first time.

We have dealt with the fundamental knowledge of risk management, so we can move onward, and we will further consider the processes that are required for risk management:

• 11.1 Plan Risk Management
• 11.2 Identify Risks
• 11.3 Qualitative Risk Analysis
• 11.4 Quantitative Risk Analysis
• 11.5 Plan Risk Responses
• 11.6 Monitoring and Control Risks

11.1 Plan Risk Management

The first process that builds risk management principles on a project is Plan Risk Management. Traditionally, the result of planning to manage an area is a plan to manage it, which is part of the Project Management Plan). To successfully draft a Risk Management Plan, we will need:

• Scope Statement. Will be required for analysis of the content and risk planning related to it;
• Schedule Management Plan. Allows to correlate risks with time factor;
• Cost Management Plan. Widely used for risk planning, starting with the definition of formats for reporting and ending with the formation of project reserves;
• Communications Management Plan. Used for project reporting formats and in particular risk. Drawing up a Risk Management Plan often entails changes in the Communication Management Plan;
• Enterprise Environmental Factors;
• Organizational Process Assets;

Risk Management Plan

Similar to the Project Management Plan, the Risk Management Plan is a compilation of all processes from the planning process group but related to risks (i.e. Identify Risks, Qualitative Risk Analysis, and Quantitative Risk Analysis) processes - it is integrative for all risk management planning.

As with all other management plans, you can add anything that you think will help in risk management, but below are the frequently encountered elements of the Risk Management Plan:

• Methodology. This includes listing all the methodologies you are going to apply for risk management - Risk Assessment Methodology, Risk Management and Control Methodology, etc.;
• Roles and responsibilities. To a large extent, this element is the result of the Plan Risk Responses process, but can be supplemented by roles and responsibilities for identifying risks, evaluating risks, assigning those responsible for risks, etc.;
• Description of the risk assessment. This includes how a given risk assessment will be characterized. For example, what is the real damage to the Project from an exposure risk with a threat rating of 6? These criteria are very important and require review prior to direct planning and risk assessment;
• Assumptions. Agree that not all risks need to be addressed - it is assumed that after identification, the number of risks should be at least 100 (see Identify Risks - and therefore if there are (and they exist on any project) some risk assumptions, they should be specified in the risk management plan. An example of a presumption may be that «the probability of occurrence shall not exceed 3, and the probable damage shall be less than 4». This measure facilitates planning - «Why evaluate and model a risk solution that is extremely unlikely?»;
• Risk Categories, see bellow;
• Reporting formats. This is a very specific section, which is more relevant to the Plan Communications;
• Tracking. A description of how risk tracking will be performed. A description of each individual risk tracking method may be required.

Risk Categories

Risks can be classified as:

• External - any type of risk on which the Project Team and key Stakeholders have little influence;
• Internal - internal organizational factors - Team Members, insufficient Planning, tight deadlines, etc.;
• Technical - risks that relate exclusively to the Project Scope;
• Unforeseeable - quite a small number of risks, it is considered that this can be attributed to only 10% of all possible risks of the Project.

Risks can also be grouped by risk area:

• Scope - risks related to the project’s Scope («Maybe we will not be able to do … part of the work?»);
• Time - risks associated with time restrictions («What if the operation … is delayed?»);
• Cost - risks associated with the project’s Cost («Can this operation … be more expensive than planned?»);
• Quality - risks caused by Quality issues («Can we not meet the standard…?»);
• Resources - the risks in one way or another arising from the resources used («What if … we quit?»).

Finally, the risks can be broken down into:

• Business Risk - a group that includes both positive and negative risks;
• Pure/Insurable Risk - a group that includes only negative risks such as natural disaster, fire, theft, damage to equipment, etc.

Risks can also be grouped by other parameters - the source of risk (for example, a certain Team Member, equipment), Work Package, processes, etc. Whatever methods of risk grouping have been chosen, they should facilitate risk management and identification.

11.2 Identify Risks

With the example of the Identify Stakeholders, we remember that their early identification helps to avoid problems that may arise at later stages of the Project. In the case of Stakeholders, this was due to the fact that skipping any of them could lead to a new Requirement and, as a consequence, to [Deliverables] (and it will be lucky if not at the expense of the performer).

Exactly the same situation with risks - the earlier all possible risks are identified, the fewer potential threats to the Project there will be. For example, before building the roof, we did not consider the Risk of damage to the equipment, but this event happened. We put the equipment in repair, but this problem will lead to a delay of two weeks and, as a consequence, loss of both reputation and money.

The source of identification can be anything, but below are the most common:

• Risk Management Plan;
• Risk Register;
• Management plans for project areas (Scope, Time, Cost, Quality, Human Resources);
• Project Documents (all kinds of reports, graphs, other documents);
• Enterprise Environmental Factors;
• Organizational Process Assets.

The identification is carried out directly by tools already familiar to us - Brainstorming, Delphi Technique, Interviewing. The tools can also be complemented by a root cause analysis Root Cause Analysis, which is a decomposition of some assumed high risk into smaller, easy-to-assess risks (for example, the failure risk of an assembly can be broken down into the failure risk of its individual parts). Another tool that should be mentioned is the Documentation Analysis - an analysis of thematic articles, Lessons Learned and other external documentation that allows for the identification of additional risks.

Strengths, Weaknesses, Opportunities and Threats Analysis, SWOT

This is an analysis of the Strengths and Weaknesses of the Project and, on their basis, additional risks.

Checklist Analysis

Review previous risk categories and identify new risks using them.

Analysis diagrams

See Ishikawa Diagram and Flowcharts.

Risk Register

After the identification of risks, a document listing all identified risks should be obtained. After the first iteration of the Planning Process Group, it will only be filled with risk names, but when performing subsequent processes, its content will be filled with useful data for risk management. In particular:

• Qualitative Risk Analysis;
• Risk quantification;
• Potential risk mitigations;
• Appointment of a risk management officer;
• Main source of risk;
• Risk Categories.

There is an unspoken rule that characterizes the quality of the performed Identify Risks - if the number of risks is less than 100, it means not enough risks are identified. Do not be afraid of this amount; this number includes risks of all kinds and degrees of danger to the Project - social risks (dissatisfaction with social groups), HR risks (dismissal of a Team Member, illness, physical disease of a key Stakeholder), natural (disasters), technical (obsolescence of equipment, changes in technology), state (innovations in legislation, unconscientiousness of public serves), and many others.

11.3 Qualitative Risk Analysis

Identify Risks in some extent all project managers exert, but that’s not true for risk assessment. Here, of course, we can argue that when a risk is identified, we automatically make an assessment according to our assumptions. So, for example, if we build a house, we think that when welding metal structures, there can be a fire and all the easily flammable objects should be removed from the work area. But this assessment is very vague - as a rule, the assessment made «on the go» is not tied to any assessment method. In addition, this assessment is not documented. It is worth mentioning again - PMI requires that all evaluations that are performed be somehow documented, and the evaluation methodology and criteria were defined before the evaluation itself.

For Qualitative Risk Analysis we will need Risk Register (was compiled in the process of Identify Risks), Risk Management Plan (was compiled during the Plan Risk Management process), Scope Statement (used as a main element for risk assessment), and Organizational Process Assets (may contain rules for carrying out assessments that have been previously made for similar risks, etc.).

With tools, it is much more interesting. Let’s consider each of them separately.

Probability and Impact Matrix

A very useful and at the same time simple tool that allows you to prioritize risks. Practically, it can be any representation of it, but for example:

Because, as you remember, there are both negative and positive risks, the example above should have two matrices (for negative and positive risks). Sometimes managers create a composite Probability and Impact Matrix:

Let’s look at the matrix in more detail - this matrix should be based on those rules that we have defined in the Risk Management Plan. These rules may include high (dark grey cells), medium (grey cells), and low risk (white cells) zone indexing rules, scale values, and tolerance line boundaries (thick line running from 7 to 10).

Once we have a matrix, we need to assess all the risks based on two parameters - the likelihood of occurrence and the threats that risk entails. Typically, an assessment is made by an expert in the subject area, but as an assessment tool, you can also use Three-point estimation (PERT Analysis). Through these assessments, each risk will be characterized by the level of threat that it represents and expressed in the probability of occurrence of risk and the threat emanating from risk.

For example, the probability of a fire when welding the metal frame of the roof will lead to catastrophic consequences that can be estimated at 9 damage points. The probability of this risk can be estimated at 8 points. Thus, we assessed this risk as being in a high-danger zone (dark grey). It is obvious that we need to act on this risk in some way, and how - we will find out later when we consider the process of Plan Risk Responses.

Risk Data Quality Assessment

It’s interesting that, after the Risk Analysis, several more risks are added - risks that the risk analysis has not been carried out completely, risks that the assessments have not been made accurately, etc. To ensure quality (high-quality) risk analysis, we will need a full and well-written Scope Statement for the Project, as well as a detailed risk description. Even those risks that came anonymously (see. Identify Risks) should be detailed.

Assessment results

As a result of the Qualitative Risk Analysis, each risk will have an assessment that will help to build a strategy for further engagement with it. In addition to assessing each individual risk, we will have an Aggregate Project Risk Assessment, on the basis of which a re-planning of the Project can be carried out to reduce the Risk of its execution, or the company may not carry out the Project at all.

After the evaluations, you can organize the risks according to the evaluation performed (from the most dangerous to the most harmless), which contributes to a better undestanding. This updated list will help to conceive which risks require additional quantitative analysis and which will require the development of measures to prevent them (or, in the case of a positive risk, to trigger an event). Some less dangerous risks may be placed under observation to monitor their condition.

The next process is Quantitative Risk Analysis, which will require a qualitative assessment, but at the same time, the quantification process is applied far less for all risks than for those that pose the greatest risk to the Project.

11.4 Quantitative Risk Analysis

This process is a derivative of the previous one but, along with it, is not mandatory. In fact, performing a Qualitative Risk Assessment is often quite sufficient for successful risk management, but quantitative assessment allows a more materialized and therefore more tangible assessment.

Not all risks of the Project are quantified (remember, there can be a lot of them?), but which ones should be specified in the Risk Management Plan. For instance, for a home construction project, we can specify that for risks with a probability of occurrence and a threat greater than 9, a quantitative assessment should be made; for those with a probability of occurrence and a threat greater than 6, a response plan should be developed; for risks with probability and threats less than 3, it is enough to observe.

Risks that have passed through the Quantitative Risk Analysis process may be referred to as Risk Assessment.

How to assess?

As usual, PMI offers several tools to perform this type of assessment. Most of them we already know, so let’s focus on three:

• Interview;
• Delphi Technique;
• Using the base of Lessons Learned from previous projects;
• Expected Monetary Value Analysis, discussed below;
• Monte Carlo Analysis, discussed below;
• Decision Tree, discussed below.

Expected Monetary Value Analysis

Although this analysis is very easy to perform, it is very convenient when you need to estimate the possible material losses from risk. Calculated by the formula:

EMV = P * I

, where P – possibility of the Risk; I – materialized impact if the Risk will take place.

For example, there is a 65% chance that a house will burn during the process of welding a metal frame and $USD12K of damage. The cost of risk in this case would be 0.65 * $USD12K, i.e., equal to $USD7.8K.

It should be noted that the damage cannot always be estimated with absolute precision, in which case a rough estimate can be considered sufficient.

Monte Carlo Analysis

We have already encountered it when considering the process of Develop Schedule. If you remember, it allows you to model hundreds of scenarios and helps in assessing the likelihood of a project under the conditions of Constraints.

Similarly, it is used in risk assessment. Its task is to assess the risk of the Project as a whole and the possibility of completing the Project on a specific date or with a specific budget.

Decision Tree

To choose the path of project development, the Project Manager can use the Decision Tree, which allows you to rationally choose the path that the Project should follow. This tool has three distinctive features:

• It allows you to choose the path that the Project will follow in days, weeks, months or even years;
• It implies a choice of mutually exclusive development paths;
• The Expected Monetary Value Analysis is used for the calculation.

Evaluate the profitability of each path using Expected Monetary Value:

Based on the results obtained, it is clear that going down the path of Solution 1 will be more profitable.

	Assessment	Cost of Path
Decision 1	0.4 * $USD20400 + $USD6900	$USD15060
Decision 2	0.16 * $USD3200 + $USD16300	$USD16812

Based on the results obtained, it is clear that going down the path of Solution 1 will be more profitable.

Process output

As a result we get:

• Updated risk prioritization. The expected loss of money always looks more threatening than the estimates given in the Qualitative Risk Analysis;
• The first understanding of required Reserves. We can give the first estimates of required reserves both cash and time;
• Assessment of the ability to achieve project objectives within the given Constraints. The risk quantification will help to understand if the Project Team will be able to execute the Project with the established technical requirements. Moreover, the assessment can be given in percentage representation;
• Evaluation of the probability of implementation of a project with the condition Constraints. In addition to the possibility of project implementation, Quantitative Analysis allows us to assess the feasibility of project implementation under conditions imposed on it by time and financial constraints.
• Although the process of Qualitative Risk Analysis is quite labor-intensive, it is widely used, especially in the implementation of large projects. And although it is not always in demand, PMI builds the assessment of the required project financial Reserves on it.

11.5 Plan Risk Responses

This is probably the most interesting process of risk management. As the title makes clear, its task is to develop strategies for dealing with each individual risk. It has already been said that it does not make sense to react to every risk - it is necessary to respond to risks that fit certain requirements (by the probability of occurrence and level of damage) defined in the Risk Management Plan.

All possible risk impacts can be broken down by performing actions into 4 large groups:

• to prevent the occurrence of risk (negative risks);
• to reduce risk damage (negative risks);
• to stimulate risk (positive risks);
• to increase beneficial effects from risk (positive risks).

In case of a risk event, the following actions are possible:

• Execution of planned actions if the risk has happened (execution of plans on Contingency risks);
• Performing any backup actions, if previously performed did not have the risk of sufficient effect (performing Fallback actions);
• In case of an unanalysed (not planned) risk, search for Workarounds and perform the necessary actions.

Of course, it is impossible to predict everything at once, so that some portion of the unrevealed risks will still remain. In addition, it is not always possible to find the right solutions for risk exposure - a solution can be found after some time when re-planning risks (do you remember that planning is iterative?).

Risk Response Strategies/Risk Mitigation Strategies

During the development of Risk Response Strategies, the Team can develop various response options such as tool replacement, resource operation replacement, etc. Each Risk can be attributed to one of seven strategies, defined by PMI. As an example of negative risk, we will consider the operation of welding the metal roof frame of a building house; as a positive - long-term cooperation with the construction company as a contractor:

• Avoid. Getting rid of the source of risk by any means (rejection of Activity, Work Package Work Package, use of another resource, etc.). For example, it is decided to build the frame of the house not from metal, but from a metal profile with easily mountable fasteners;
• Mitigate. Reducing the negative impact of risk on the Project. In our example, you can add Activity to ensure the safety of the construction site, which will ensure that the damage from a possible fire is reduced;
• Transfer. A risky work area is transferred to another participant. This may be expressed in insurance or performance of the Procurement result of the Work Package. This strategy is characterized by the fact that the Cost of responding to risk is the Cost of services acquired. In our case, it can be the order of a roof structure from an external organization, or, for example, the purchase of insurance on items subject to fire;
• Exploit. Adding any work to increase risk probability. For example, adding Operation Activity to decorate window frames;
• Enhance. Increase the probability and positive impact of risk. For example, adding resources to improve the performance of Activities operations by installing windows;
• Share (with someone, something). Sharing the benefits of risk with other companies. Engaging a contractor company to perform all Activities by installing windows specialized in such types of work;
• Accept. This strategy is unique in that it applies to both negative and positive risks. The essence of the strategy is that no additional actions are applied, relying entirely on the case. This strategy should only be applied for non-hazardous risks that do not cause much harm to the Project.

When designing the impact on risks, it is necessary to remember:

• strategies should be developed in a timely manner;
• risk response should be cost-effective;
• one reaction can be applied to several risks;
• multiple reactions may be applied to a single risk;
• it is desirable to develop a response to the source of risk rather than to eliminate its consequences, thereby protecting against several risks at once;
• different Stakeholders can be included in the development of strategies.

Process output

For all planning processes, updating of management plans is inherent in the Plan Risk Responses process. Since any risk directly or indirectly relates to the need to make changes in the content, timing, or cost of the Project, one of the main outcomes of the process is the updating of the management plans of the various areas of the Project. For example, the transfer of the Work Package on the installation of a metal roof frame to a third-party organization will entail changes in the Scope and Procurement, and as a consequence, to other areas of the Project.

But the Plant Risk Responses process is also inherent in making changes to the Risk Register. The changes may involve many aspects, in particular:

• Contingency Plans. Identification of actions to be taken when a risk occurs. Since risks are both negative and positive, the actions to be taken may be appropriate to the type of risk. This is one of the main elements requiring updating of the Risk Register;
• Risk Response Owners. In addition to the actions that must be taken to prevent or mitigate risk (in case of negative risk) and increase probability and increase risk (in case of positive risk), it is necessary to define who will be responsible for monitoring the Risk and controlling and carrying out the reactions foreseen on it;
• In order to «catch» a Risk, it is necessary to identify some events preceding its occurrence. For example, to track the ignition during the installation of a metal roof frame, it is possible to determine the maximum heating rate of the welding machine and monitor it during the work;
• Secondary Risks. Each Activity that exists in the Project has some risk. The same applies to those Activities that have been added as reactive to risks. For example, the fact that the Work Package to install the roof frame will be carried out by a third-party organization adds the risk that something could go wrong - a third-party organization may have various problems that can adversely affect their performance. Moreover, as noted earlier, even the development of a Risk Management Plan entails a Secondary Risk that the planning has not been fully implemented;
• Residual Risks. These are risks for which there is no response plan. At the same time, this does not mean that these risks can be forgotten - the Project Manager and the Project Team should monitor and control such risks;
• Fallback Plans. This is a set of actions foreseen to be carried out in the event that Contingency Plans for risks do not help avoid or stimulate risk. Roughly speaking, these are planned responses to failed risk responses;
• Reserves. If you remember, when considering the management of Time and Cost project, it was mentioned that the Project Manager and the Project Team have no right to «twist» the duration and cost of the Project, respectively. Instead, PMI offers to use the tool of Reserves, both for resources and time. Reserves will be discussed below, as this is a very important issue.

Project Reserves

There are two types of Reserves - Contingency and Management. Contingency Reserves are those reserves whose weight can be calculated on the preliminary Risks analysis. These Reserves need to be counted and documented. The estimate may not always have an accurate value, although it is often possible to determine the exact value of the Reserves, but the Contingency Reserves include Reserves only for known risks. For example, the Work Package for the fence includes the purchase and delivery of materials (1), drilling (2), installation of pillars (3), installation of connecting structures (4), fastening of profiles (5) and painting (6). For each of these Activities the following Reserves are defined: 1 - $USD20000, 2 - $USD1500, 3 - $USD1500, 4 - $USD6700, 5 - $USD14200 , 6 - $USD4900. Ergo, Contingency Reserves for this Work Package we have is $USD48800.

Since it is impossible to foresee everything, unrevealed risks may occur during the Execution of the Project, which, of course, has a certain cost. The Project Manager, together with the key Stakeholders of the Project should determine the amount of Reserves for these types of risks - they are called Management Reserves. There are no rules for counting because they are unique to the environment in which the Project is being carried out, but often Management Reserves make up around 5% of the cost of executing the Project.

Both, Contingency Reserves and Management Reserves form part of the project’s Cost and are included in the Determine Budget process.

11.6 Monitoring and Control Risks

This process is very important in the course of the Project because it helps to avoid dangerous situations for the Project, but without performing at least Identify Risks, Qualitative Risk Analysis and Plan Risk Responses, it will be extremely problematic to execute. Thus, if we do not identify risks, there will be nothing to monitor; without a qualitative assessment, it is impossible to understand which risks are worthy of attention and which ones are not, and without response plans, all decisions will have to be made on the go.

Workarounds

This is a very inefficient way to solve problems that arise in the course of project Execution, because Workarounds are not planned but are created during the Execution, which will cause delays in project Execution, increase project Cost, decrease Quality of product or service or, even a failure of the Project.

Of course, a project without surprises is very rare - it is precisely those risks that are initially impossible to identify and for which there are Management Reserves - but PMI clearly indicates that the presence of many Workarounds indicates poor risk management (and, above all, Planning).

Risk Reassessment

Risks need to be reassessed as the Project progresses. A typical example may be the change in risk assessment after the execution of Activities preventing its occurrence.

Risk Audits

Similar to Quality Audit, but it is performed quite rarely, and the group performing the audit usually consists of members of the Project Team.

Reserves Analysis

It only counts the Reserves used and estimates the Reserves required for completion of the Project.

In the course of the Project, risk situations may occur for which funds are reserved for prevention. It is important to understand that for each risk you can use only those funds that are reserved for it, and if the risk has not occurred and the danger no longer presents, then the funds reserved for that risk must be returned back to the company. Also, an important feature of working with Reserves is that reserved funds should only be used as a last resort, i.e., before they are used, the Project Manager and the Project Team must apply Corrective and Preventive changes (see Integrated Change Control). Reserves are not something free to use and not accountable; Reserves are emergency planned stocks foreseen and evaluated in the Project Planning process.

Risk Register

As the Project progresses, the Project Manager should document interaction with risks. I.e., document the occurrence of risk and how to prevent it and the number of resources spent on risk, as well as note those risks that have lost relevance. All this information should be added to the company’s Lessons Learned.

In addition, any Stakeholder may discover a new Risk as the Project progresses. In this case, the Project Manager should add it to the Risk Register and analyze it according to the Risk Management Plan.

Typical errors in risk management

• Identify Risks is done too early, when there is too little information about the Project, so that many risks remain unrevealed and many risks are present incorrectly;
• risks are assessed wrongly;
• Identify Risks is not complete;
• too few project-specific risks;
• many unnecessary risks that are not feasible;
• entire categories of risks are omitted (such as social risks, legislative risks, etc.);
• a limited number of Identify Risks tools were used;
• as a planned reaction to the Risk, the first idea that comes to mind is applied - no deep analysis of the Risk;
• too little attention is paid to risks during the Project Execution;
• Team Members are not involved in risk management;
• contracts for the purchase of goods or services are signed prior to risk assessment.